20140312: Group Managed Service Account capability release

A new capability is available. Some minor changes (e.g. OU permissions) have happened to enable this.

What and When:

Delegated OU customers are now able to create, delete, and manage Group Managed Service Accounts (gMSAs). This provides a self-service, higher-security option for non-interactive applications, services, and scheduled tasks that run automatically but need a security credential.

What you need to do:

Nothing.

You may want to re-evaluate the credentials used by any existing Windows-based applications, services, or scheduled tasks and consider using a gMSA instead. In particular, gMSAs provide an excellent solution for these non-interactive processes for the scenario where an IT administrator leaves. You don’t need to manually change all the passwords known by that IT administrator or accept a risk by not changing those passwords.

Note that gMSAs are more like AD computer accounts than like AD user accounts, and gMSAs are not UW NetIDs. gMSAs can be members of UW Groups.

If you have questions about this new capability, either respond to this email over on the uwwi-discuss@uw.edu mailing list, or send email to help@uw.edu with “UWWI gMSAs” in the subject line to get someone from the UWWI service team.